Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
i got hacked. what were they up to?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... , 16, 17, 18  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
iothal
n00b
n00b


Joined: 05 Nov 2003
Posts: 3

PostPosted: Sat Nov 12, 2005 1:58 pm    Post subject: Reply with quote

Perhaps this can be of use to somebody.
Caveat, I'm not a good scripter...

cronjob:
#!/bin/sh
grep "Invalid user" /var/log/auth.log | gawk '{print $10}'|sort -u > /tmp/drop
grep "Failed password for root from" /var/log/auth.log | gawk '{print $11}'|sort -u >> /tmp/drop
cat /etc/badips >> /tmp/drop
cat /tmp/drop | sort -u > /tmp/dropu
#Compare dropu and badips, only drop
#members who are in dropu but not in badips
#Drop them
/sbin/drop.pl
cp /tmp/dropu /etc/badips
rm /tmp/drop
rm /tmp/dropu


perlscript:
#!/usr/bin/perl -w
# point to wherever you keep /sbin/iptables
my $iptables='/sbin/iptables';
my $alreadyBlocked = '/etc/badips';
my $couldBeAssholes = '/tmp/dropu';

#Sanity check
open(BLOCKED, $alreadyBlocked) || die("Could not open block file!");
open(NEW, $couldBeAssholes) || die("Could not open prospects file!");

#Read could be assholes and if not found in alreadyblocked
#yeah... smack them!
my @blocked = <BLOCKED>;
my @new = <NEW>;

my %seen; # lookup table for already blocked
my @notblocked; # not already blocked

# build lookup table
foreach $item (@blocked) { $seen{$item} = 1 }

foreach $entry(@new)
{
push(@notblocked,$entry) unless $seen{$entry};
$seen{$entry} = 1;
}

my $block="32";
my $target = "NOLOGDUMP";
my $chain = "INPUT";
my $inf = "eth0";
foreach $entry(@notblocked)
{
chomp($entry);
#print "Dropping: ".$entry."\n";
system("$iptables -A $chain -i $inf -s $entry/$block -j $target");
}

iptables ( stolen from a previous post in this thread):
#Chain to drop script kiddies
iptables -N NOLOGDUMP > /dev/null
iptables -F NOLOGDUMP
iptables -A NOLOGDUMP -p tcp -j REJECT --reject-with tcp-reset
iptables -A NOLOGDUMP -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A NOLOGDUMP -j DROP

Oh, and u probably need to touch /etc/badips before the first run.
Enjoy!
Back to top
View user's profile Send private message
assaf
Apprentice
Apprentice


Joined: 14 Feb 2005
Posts: 152
Location: http://localhost

PostPosted: Fri Nov 18, 2005 11:20 am    Post subject: Reply with quote

LOL @ this thread... Good thing i'm running sshd on port xyxyx... :roll:
Back to top
View user's profile Send private message
sloof3
Tux's lil' helper
Tux's lil' helper


Joined: 09 Sep 2004
Posts: 75

PostPosted: Mon Nov 21, 2005 3:29 am    Post subject: Reply with quote

We've all done it before but there is already a better tool to check the logs for failed logins: http://denyhosts.sourceforge.net/
Back to top
View user's profile Send private message
LostControl
l33t
l33t


Joined: 02 Mar 2004
Posts: 885
Location: La Glane, Suisse

PostPosted: Mon Nov 21, 2005 6:15 pm    Post subject: Reply with quote

sloof3 wrote:
We've all done it before but there is already a better tool to check the logs for failed logins: http://denyhosts.sourceforge.net/

And do not forget Fail2ban :wink: It is now in Portage.
_________________
http://www.jaqpot.net
http://www.fail2ban.org
Back to top
View user's profile Send private message
blommethomas
Apprentice
Apprentice


Joined: 16 Nov 2005
Posts: 285
Location: roeselare, belgium

PostPosted: Mon Nov 21, 2005 7:57 pm    Post subject: Reply with quote

just read through a few messages of this threads.
I'm not a professional, but I'm installing LINUX now.
My dad has got a LINUX comp already and he was informed by e-mail about attempts to connect to the Internet, anyone knows more about this?
_________________
IK BEN GEK
Back to top
View user's profile Send private message
fuzzythebear
Guru
Guru


Joined: 28 Nov 2004
Posts: 317

PostPosted: Tue Nov 22, 2005 11:31 pm    Post subject: Phisical security Reply with quote

This thread ( and by jove was it long to read it all .. ; )
we seen a lot about remote logins and ssh .. but and this might be good
for a new thread how about physical security ?

If the attacker is in fact a theif coing in and stealing a disk in a
tray or stealing the machine ? How would we be able to make
sure that the data would be safe from prying eyes..

Ex . we all know that the OS need not be running on a particular disk to
be able to read it and use it ..

How would we go about to protect the data in that kind of an occurence ?
Is it possible to make the data unreadable without a floppy in the drive ?
a small usb key or somethign else i have no clue about ?

In fact .. once the disk is out the machine , is there any way at all to protect
the data ?

Fuzzy
Back to top
View user's profile Send private message
heartburn
n00b
n00b


Joined: 18 Oct 2002
Posts: 40

PostPosted: Tue Nov 29, 2005 7:00 am    Post subject: Reply with quote

fuzzythebear,

that's why god created data centers. Physical security is just that: physical. Sure, there's encryption... maybe even self-destruction. But nothing beats a few well-trained, highly paid, professional armed guards standing outside the 6-inch thick, retina-scanning steel doors of a natural-disaster-proof, underground building complete with around-the-clock video surveillance and an identically equipped backup facility on another continent. Or, you could just lock the machine in the basement. I guess it all depends on what you're trying to protect. But if you're worried about people who actually come in contact with the machine, you need to think physical. Software solutions will be secondary.


d11wtq,

You really should read about the DSA authentication.
http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml?style=printable
You can configure your machine to use DSA authentication instead of PAM. Then, passwords are almost a non-issue. Nobody can even get to a login prompt without a valid private key. After I set up DSA-only authentication on my webserver, I went from literally hundreds of failed login attempts per day to zero (not counting my own fat-fingered passphrase misspellings). It's definitely worth it.

- mark
Back to top
View user's profile Send private message
heartburn
n00b
n00b


Joined: 18 Oct 2002
Posts: 40

PostPosted: Tue Nov 29, 2005 7:25 am    Post subject: Reply with quote

One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?

I also started running psad. That's the port scan detection system configured by bastille. It looks pretty good, but I can't find very much information about it on the web. Is anyone else using it? Does anyone have any tips on configuring it?

- mark
Back to top
View user's profile Send private message
mutlu_inek
Tux's lil' helper
Tux's lil' helper


Joined: 20 Nov 2004
Posts: 141

PostPosted: Wed Dec 07, 2005 1:44 am    Post subject: Re: Phisical security Reply with quote

fuzzythebear wrote:
Is it possible to make the data unreadable

How about encryption?
E.g. http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS (or forum search)

added:
http://gentoo-wiki.com/SECURITY_FileSystem_Encryption_without_ROOT
http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_CFS
Back to top
View user's profile Send private message
AmosMutke
Apprentice
Apprentice


Joined: 24 Dec 2003
Posts: 235
Location: Akita, Japan.

PostPosted: Wed Dec 07, 2005 3:14 am    Post subject: Reply with quote

heartburn wrote:
One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?


would mounting a partition read-only have the same effect of a cdrom? Are there any additional security risks since the media isn't physically read-only? Clearly, even root can't force data to write on a normal CD.

maybe this could be a viable option for people who don't have a cdrom drive on their system.
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Wed Jan 04, 2006 3:47 pm    Post subject: Reply with quote

heartburn wrote:
One more thing I did recently was set to set up a daily cron job to emerge and run chkrootkit. I know that many people run chkrootkit as a cron job, but I was thinking that if I was cracking a system, I might want to replace chkrootkit with a script that produces a false report. So I figured the best thing to do is rebuild it right before I run it each time. I suppose that could be faked too. Unfortunately, my machine is hosted so I don't have the option of putting an unwritable version in the CD drive. Any thoughts?

I also started running psad. That's the port scan detection system configured by bastille. It looks pretty good, but I can't find very much information about it on the web. Is anyone else using it? Does anyone have any tips on configuring it?

- mark


That's a waste of time, last I checked chkrootkit depends on external binaries, if these are compromised, regardless of how often you rebuild chkrootkit, the results will be false. Unless you want to re-emerge your base system before each test.

Why not just use tripwire/aide/swatch/whatever and monitor your binaries for changes? If you're a good *nix citizen you've mounted every other location "noexec" so besides /bin & /usr there's nowhere else a rootkit could install & execute its components. Actually more likely you've done the usual one partition for "/" and everything on it ... I'm not going to get into that discussion again tho :-)
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
yottabit
Guru
Guru


Joined: 11 Nov 2002
Posts: 313
Location: Columbus, Ohio, US

PostPosted: Fri Jan 06, 2006 9:03 pm    Post subject: Reply with quote

28,036 unsuccessful attempts in one month... Unreal.

Usernames spam, erin, draco, bank, 123, abc123, abc, ghost, admin, nobody, ftpuser, allan, dummy, public, test, danny, linda, www, www-data, info, sales, oracle, support, testing, yamaguchi, alonso, cynthia, stefan, fuck, karl, ed, angela, fred, amy, pgsql, upload, chris, pop, franklin, andrew, owner, owners, op, db, anita, bind, ben, beny, bert, alin, theo, philip, roland, emil, enzo, felix, francis, ian, ismail, jared42, akcesbenefit, greg, cs, wwwrun, rolo, web1, matt, web, anonymous, apples, xxx, miller, chicago, tweety, snoopy, ashley, bandit, madison, princess, viper, francois, mortimer, lucas, leslie, leroy, lara, sec2, sec1, sec, kassa, maneager, maneager1, emi, emiliano, cafe, internet, play, open, samba, kathi, cgi, nicole, denied, work, cyborg, right, file, text, gnome, kde, lftp, ventas, spg, jag, ag1, ac, lm, aa, jg, khan, rmgadm!, rmgadmin, daniel, hectorh, epanchi, pvm, junkbust, radvd, dennis vivian, larry, jacob, game, cvs, benahmed, rachafi, ramamurthy, tia, ricky, nuzahar, cindy, bernard, ace-html, bestrella, darcos, vojeda, smakom, bannamuki, yoshida, tunekiyo, yakayama, t-miyata, t-ikeda, shigeno, mizoguti, kyoda, kawano, jinta, horii, eigyou, dozono, denryoku, anthony, hunter, joshua, exit, juan, nathan, william, yusaf, sitasubedi, sanjiv, sagun, rajen, kamal, arun, aroon, smc, tcp, log, logs, administrator, jack, marvin, andrea, barbara, adine, alan, albert, alberto, alex, alfred, ali, alice, allan, andi, andrew, student, r00t, download, nigel, upload, services, office, bobby, username, sharon, aron, brett, alex, mike, data, http, httpd, shop, ........................ many many many more, and those were all from 222.122.21.202 just yesterday. :)

I should install DShield on my Smoothwall. That would be cool to see how much it lessens the impact. I have been using public-key auth since I first saw the attacks last October. My passwords are fine, but I'm afraid some of my users probably use bad passwords.

I would like to block all of these attempts simply to save processor cycles, Internet congestion, and intranet congestion. I thought about installing that 'reactive' firewall mod for Smoothwall too... too many connection attempts within so many seconds from a given IP and it automagically firewalls that IP.

J
_________________
Play The Hitchhiker's Guide to the Galaxy!
Back to top
View user's profile Send private message
kamikaze04
Guru
Guru


Joined: 28 Mar 2004
Posts: 366
Location: Valencia-Spain

PostPosted: Fri Jan 06, 2006 10:48 pm    Post subject: Reply with quote

yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day :)
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es
Back to top
View user's profile Send private message
yottabit
Guru
Guru


Joined: 11 Nov 2002
Posts: 313
Location: Columbus, Ohio, US

PostPosted: Tue Jan 10, 2006 3:58 pm    Post subject: Reply with quote

kamikaze04 wrote:
yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day :)


Excellent tool and already in Portage. Thanks!!
_________________
Play The Hitchhiker's Guide to the Galaxy!
Back to top
View user's profile Send private message
LostControl
l33t
l33t


Joined: 02 Mar 2004
Posts: 885
Location: La Glane, Suisse

PostPosted: Tue Jan 10, 2006 7:29 pm    Post subject: Reply with quote

kamikaze04 wrote:
yottabit, you would like to test : Denyhosts , great program, and it blocks ips doing dictionary attacks perfectly. I really recommend it. My servers passed from thousands of login attempts in a month to 10 in a day :)

You can also try fail2ban :wink:
_________________
http://www.jaqpot.net
http://www.fail2ban.org
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Mon Jan 23, 2006 10:27 pm    Post subject: Reply with quote

Guh, I now have an 11 Mb log of nothing but SSH login attempts!

This is old, anyway possible to honeypot the attempts to make it quit hogging bandwidth?

I attempted to stop sshd but the script wouldn't stop trying.

I mean, make some lame username like "a" with the password "a" and make the default shell /dev/null or something.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
Barnoid
Tux's lil' helper
Tux's lil' helper


Joined: 30 Jul 2004
Posts: 85

PostPosted: Thu Feb 02, 2006 7:50 am    Post subject: Reply with quote

bigun89 wrote:
Guh, I now have an 11 Mb log of nothing but SSH login attempts!

This is old, anyway possible to honeypot the attempts to make it quit hogging bandwidth?

I attempted to stop sshd but the script wouldn't stop trying.

I mean, make some lame username like "a" with the password "a" and make the default shell /dev/null or something.


It's been said before, I'll say it again: change the port of your SSH server. It's that simple. I haven't had one incident since I've changed it (~2 years ago).
Back to top
View user's profile Send private message
Adrien
Advocate
Advocate


Joined: 13 Jul 2004
Posts: 2249
Location: Paris - France

PostPosted: Thu Feb 02, 2006 10:16 am    Post subject: Reply with quote

Barnoid wrote:
It's been said before, I'll say it again: change the port of your SSH server. It's that simple. I haven't had one incident since I've changed it (~2 years ago).

I'm not sure it's definitely the best idea as most of ssh bruteforce attacks start with a portscan.
Back to top
View user's profile Send private message
piercey
Apprentice
Apprentice


Joined: 28 Jan 2005
Posts: 182

PostPosted: Sat Feb 04, 2006 11:59 pm    Post subject: Reply with quote

Adrien wrote:
Barnoid wrote:
It's been said before, I'll say it again: change the port of your SSH server. It's that simple. I haven't had one incident since I've changed it (~2 years ago).

I'm not sure it's definitely the best idea as most of ssh bruteforce attacks start with a portscan.

A regular portscan wont go over a certain number of ports anyway, so choosing a high enough port is another way around this problem.
Of course not everyone can just change their port number, and thats why these tools exist.
_________________
[ 2008.0 X86 E8400 @ 4.0Ghz ]
Back to top
View user's profile Send private message
linuxgeekery
n00b
n00b


Joined: 07 Jun 2005
Posts: 27

PostPosted: Sun Feb 05, 2006 6:52 pm    Post subject: Reply with quote

I've had several hundred breakin attempts over the last 2 days. I created a 'test test' account with a honeypot script as it's shell. So when the hacker gets in, he'll be greeted with a message saying "Sorry, this box is secured. =)" and a "cat /dev/urandom". It also logs the IP address and sends it to a log.
Back to top
View user's profile Send private message
assaf
Apprentice
Apprentice


Joined: 14 Feb 2005
Posts: 152
Location: http://localhost

PostPosted: Sun Feb 05, 2006 8:25 pm    Post subject: Reply with quote

linuxgeekery wrote:
and a "cat /dev/urandom"


I'm sure the poor hacker will be crying himself to sleep tonight :P
Back to top
View user's profile Send private message
MrUlterior
Guru
Guru


Joined: 22 Mar 2005
Posts: 511
Location: Switzerland

PostPosted: Mon Feb 06, 2006 1:52 pm    Post subject: Reply with quote

linuxgeekery wrote:
I've had several hundred breakin attempts over the last 2 days. I created a 'test test' account with a honeypot script as it's shell. So when the hacker gets in, he'll be greeted with a message saying "Sorry, this box is secured. =)" and a "cat /dev/urandom". It also logs the IP address and sends it to a log.



So, in order to DoS you I just need to connect as test/test several hundred times till I saturate your connection.... that's smart! :-P
_________________

Misanthropy 2.0 - enough hate to go around
Back to top
View user's profile Send private message
vectox
n00b
n00b


Joined: 29 Oct 2004
Posts: 21
Location: Luxembourg

PostPosted: Mon Feb 06, 2006 9:54 pm    Post subject: Hah Reply with quote

Lol..gotta love that last one. I think it's better to reduce the load on the system completely. Your right...a few hundred attempts and the system is overloaded with honeypot processes. Sure it's cool on a user level, but most of these attempts are scripted and flooding the Internet with hundreds of attempts and the hacker is never going to see you "this box is secure msg". Use metalog...so it puts all sshd events in an sshd folder seperate from the syslog....save yourself greping the syslog file. I had ssh running on the standard ol port 22 for a while.....I got tons of brute force attempts...mostly from Korea, China and a small number from the US....reporting them all is a wasted effort...and most of them I would guess are just zombie boxes anyway...not the actual hackers box.

My solution, same as the person above, is to just change the port your running sshd on. It's simple....no extra processing on your server and unless your server is public to many users expecting to ssh to port 22.....your likely the only one logging onto it anyway. It still allows you to log onto it from anywhere in the world. Also like the user above I've been running sshd on a non-standard high port and haven't had one brute force attempt since...all the failed password attempts are by yours truly :).

Suck it up people...change the stupid port!
Back to top
View user's profile Send private message
Bigun
Advocate
Advocate


Joined: 21 Sep 2003
Posts: 2057

PostPosted: Wed Feb 08, 2006 1:17 pm    Post subject: Re: Hah Reply with quote

*snip*
vectox wrote:
...Use metalog...so it puts all sshd events in an sshd folder seperate from the syslog....save yourself greping the syslog file....

*snip*

Syslog-ng is capable as well.

https://forums.gentoo.org/viewtopic-t-399997-highlight-ssh.html
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim
Back to top
View user's profile Send private message
RBH
Apprentice
Apprentice


Joined: 31 Oct 2004
Posts: 184

PostPosted: Tue Feb 14, 2006 2:03 am    Post subject: Reply with quote

I feel left out: despite having had a static IP for nearly 2 and a half years, I've not had one failed SSH login appear in my logs that wasn't my own doing. I run chkrootkit periodically (i.e. when I'm logged in finding things to do) and have never found anything.

I expect this is because my boxes are always behind a router that denies all packets that aren't specifically permitted (HTTP, DNS et al). Do you guys all connect directly, or something? Wouldn't a hardware router - just a bog standard Netgear one - be a good idea?

I might be talking out of my backside and apologies if that's the case, but this seems to be something of an obvious step to take.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2, 3 ... , 16, 17, 18  Next
Page 17 of 18

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum